Insufficient input validation in subsystem in Intel® AMT before versions 11.8.70, 11.11.70, 11.22.70, 12.0.45 may allow an unauthenticated user to potentially enable a denial of service or information disclosure via adjacent access. (CVE-2019-0131)

A heap overflow in subsystem in Intel® CSME before versions 11.8.70, 11.11.70, 11.22.70, 12.0.50, Intel® TXE before versions 3.1.70 and 4.0.20 may allow an unauthenticated user to potentially enable an escalation of privileges, information disclosure or denial of service via adjacent access. (CVE-2019-0169)

A logic issue in subsystem for Intel® CSME before versions 12.0.45, 13.0.10 and 14.0.10 may allow a privileged user to potentially enable an escalation of privilege and information disclosure via local access. (CVE-2019-11105)

A logic issue in subsystem in Intel® AMT before versions 11.8.70, 11.11.70, 11.22.70 and 12.0.45 may allow an unauthenticated user to potentially enable an escalation of privilege via network access. (CVE-2019-11131)

Cross site scripting in subsystem in Intel® AMT before versions 11.8.70, 11.11.70, 11.22.70 and 12.0.45 may allow a privileged user to potentially enable an escalation of privilege via network access. (CVE-2019-11132)

Insufficient access control in the hardware abstraction driver for Intel® CSME MEInfo before versions 11.8.65, 11.11.65, 11.22.65, 12.0.35, 13.0.10, 14.0.10; TXEInfo software for Intel® TXE before versions 3.1.70 and 4.0.20, INTEL-SA-00086 Detection Tool version 1.2.7.0 or before, INTEL-SA-00125 Detection Tool version 1.0.45.0 or before may allow an authenticated user to potentially enable an escalation of privilege via local access. (CVE-2019-11147)

Potential Impact:

According to the information provided the potential impact of INTEL-SA-00241 is:

A potential security vulnerability in Intel® Software Guard Extensions (Intel® SGX) with Intel® Processor Graphics may allow users to potentially disclose information. The detailed description of the vulnerability with medium, high or critical CVSS base score is as follows:

A potential security vulnerability in Intel® Trusted Execution Technology (Intel® TXT) with Intel® Processor Graphics may allow users to potentially disclose information. The detailed description of the vulnerability with medium, high or critical CVSS base score is as follows:

Multiple potential security vulnerabilities in Intel® Trusted Execution Technology (Intel® TXT) may allow users to potentially cause an escalation of privilege. The detailed description of the vulnerabilities with high or critical CVSS base scores is as follows:

Multiple potential security vulnerabilities in Intel® firmware (BIOS) may allow users to potentially cause a denial of service, disclose information or an escalation of privilege. The detailed description of the vulnerabilities with high CVSS base scores is as follows:

A potential security vulnerability in some Intel® CPUs may allow users to potentially disclose information. The detailed description of the vulnerability with medium, high or critical CVSS base score is as follows:

TSX Asynchronous Abort (TAA) condition on some CPUs utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. (CVE-2019-11135)

A potential security vulnerability in some Intel® CPUs may allow users to potentially cause a denial of service. The detailed description of the vulnerability with medium, high or critical CVSS base score is as follows:

Improper conditions check in the voltage modulation interface for some Intel® Xeon® Scalable Processors may allow a privileged user to potentially enable denial of service via local access. (CVE-2019-11139)

Potential Impact:

According to the information provided the potential impact of INTEL-SA-00271 is:

A potential security vulnerability in Intel® Converged Security and Management Engine (Intel® CSME) may allow users to potentially cause a denial of service, disclose information or an escalation of privilege. The detailed description of the vulnerabilities with high or critical CVSS base scores is as follows:

Improper authentication in subsystem in Intel® CSME versions before versions 12.0.49 (IOT only: 12.0.57), 13.0.21, 14.0.11 may allow a privileged user to potentially enable an escalation of privilege, denial of service or information disclosure via local access. (CVE-2019-14598)

Potential Impact:

According to the information provided the potential impact of INTEL-SA-00307 is:

The detailed description of the issues (no newly assigned CVEs; some FUNCTIONAL issue only) is as follows:

MD_CLEAR OPERATIONS: May Overwrite Fill Buffers With Data That is Not Constant

On processors that enumerate the MD_CLEAR CPUID bit, the VERW mem instruction will overwrite buffers affected by MDS (Microarchitectural Data Sampling). On processors also affected by this erratum, VERW may overwrite portions of the fill buffers with recently stored data rather than uniformly constant data.

Software using VERW to prevent MDS side channel methods from revealing previous accessed data may not prevent those side-channel methods from inferring the value stored by the most recent preceding stores to certain address offsets.

TA INDIRECT SHARING: STIBP, IBRS and IBPB May Not Function as Intended

Spectre variant 2 (Branch Target Injection) mitigations may not be fully effective in certain corner cases. This affects one or more of STIBP, IBRS and IBPB MSR bits. The "retpoline" mitigation technique is not affected. This also does not affect parts that are run with Hyper-Threading (HT) disabled.

Affection and Remediation

Affected Fujitsu Products

A number of Fujitsu products are affected by these vulnerabilities. Fujitsu is working to distribute patches for all affected products that are currently supported. Older systems that are no longer supported will not be patched.

An overview of the affected Client Computing Devices (e.g. CELSIUS, ESPRIMO, FUTRO, LIFEBOOK, STYLISTIC) and Server products (PRIMERGY and PRIMEQUEST) can be found here:

After downloading the .zip file, containing the ME Firmware Update Pack, extract all files/directories/subdirectories in the Firmware.ME directory (\Firmware.ME) of the .zip file to the desired directory on the hard drive.

Step 4: ME Update Procedure.

The "Firmware.ME" directory contains the ME update files which can be used in Windows environment. Run "update.bat" in Windows cmd environment with administrative privileges to start the ME flash procedure. Please choose 32-bit or 64-bit directory if using a Windows 32-bit or a Windows 64-bit installation.

Hints:

To run the ME Update procedure using a Windows installation, it is necessary to have the Windows "HECI" driver installed. Please use the Intel(R) Active Management Technology Driver package for Windows.

To run the ME Update procedure using a Windows PE installation, it is necessary to have the Windows "HECI" driver installed. This can be done at runtime by "drvload.exe< Path to HECI.INF>\HECI.INF". The "HECI" driver can be extracted from the Intel(R) Active Management Technology Driver package for Windows.

Further Information

Fujitsu does not manufacture the affected microprocessors, that Fujitsu buys from third party suppliers and integrates into its products. Therefore, this communication is based on the information and recommendations Fujitsu has received from the third party suppliers of the affected microprocessors.

Fujitsu does not warrant that this communication is applicable or complete for all customers and all situations. Fujitsu recommends that customers determine the applicability of this communication to their individual situation and take appropriate measures. Fujitsu is not liable for any damages or other negative effects, resulting from customers’ use of this communication. All details of this communication are provided "as is" without any warranty or guarantee. Fujitsu reserves the right to change or update this communication at any time.

Websites of other companies referred to in this communication are the sole responsibility of such other companies. Fujitsu does not assume any liability with respect to any information and materials provided by its suppliers, including on such websites.

Designations may be protected by trademarks and/or copyrights of Fujitsu or the respective owners, the use of which by third parties for their own purposes may infringe the rights of such owners.